Ask the Expert

Can you tell me how I was attacked and suggest a remedy?

In the past, I have applied the patches to my NT4 IIS 4.0 system to address the Web folder traversal/unicode problems (also CodeRed). If I look at my IIS logs, I see plenty of attempts to get to WinNTsystem32cmd.exe but all get turned down.

Last week, one of these attacks was sucessful. Looking in the log, it says that the request was (from memory) for:

/_vti_cnf/../../../../../../../winnt/system32/cmd.exe/c:dir
(I'm

    Requires Free Membership to View

not sure if I have exactly the right number of /.. in there).

My system has InetPub on the D drive, and WinNT on the C drive, so I don't see how any number of /.. on the request could possible result in a sucessful GET.

Can you explain this behaviour, and suggest any remedy.
I'm curious to see the exact URL. If the actual request was being passed to an executable or a script, the server may have returned a success (HTTP 200) message, regardless of whether the attacker actually succeeded in executing CMD.EXE. For example, this request could return a success message because someprogram.exe was successfully passed the following parameters:

http://yoursite/cgi-bin/someprogram.exe?./../../../winnt/system32/cmd.ex e

However, no harm could be done unless someprogram.exe knew how to process the portion of the request after the command name--which may be the case, if the attacker was attempting to exploit a known vulnerability.

This was first published in December 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: